# kubectl get apiservices.apiregistration.k8s.io
v3.projectcalico.org                calico-apiserver/calico-api   False (FailedDiscoveryCheck)   3d23h

# kubectl describe apiservices.apiregistration.k8s.io v3.projectcalico.org
...
Status:
  Conditions:
    Last Transition Time:  2025-08-21T08:35:54Z
    Message:               failing or missing response from https://172.19.226.198:5443/apis/projectcalico.org/v3: bad status from https://172.19.226.198:5443/apis/projectcalico.org/v3: 401
    Reason:                FailedDiscoveryCheck
    Status:                False
    Type:                  Available
Events:                    <none>

# kubectl describe ns mysql-test
Name:         mysql-test
Labels:       kubernetes.io/metadata.name=mysql-test
Annotations:  <none>
Status:       Terminating
Conditions:
  Type                                         Status  LastTransitionTime               Reason                  Message
  ----                                         ------  ------------------               ------                  -------
  NamespaceDeletionDiscoveryFailure            True    Sat, 23 Aug 2025 20:26:51 +0800  DiscoveryFailed         Discovery failed for some groups, 1 failing: unable to retrieve the complete list of server APIs: projectcalico.org/v3: stale GroupVersion discovery: projectcalico.org/v3
  NamespaceDeletionGroupVersionParsingFailure  False   Sat, 23 Aug 2025 20:26:51 +0800  ParsedGroupVersions     All legacy kube types successfully parsed
  NamespaceDeletionContentFailure              False   Sat, 23 Aug 2025 20:26:51 +0800  ContentDeleted          All content successfully deleted, may be waiting on finalization
  NamespaceContentRemaining                    False   Sat, 23 Aug 2025 20:26:52 +0800  ContentRemoved          All content successfully removed
  NamespaceFinalizersRemaining                 False   Sat, 23 Aug 2025 20:26:52 +0800  ContentHasNoFinalizers  All content-preserving finalizers finished

# kubectl logs -n calico-apiserver calico-apiserver-xxx --timestamps
calico-apiserver Unable to authenticate the request" error="[x509: subject with cn=front-proxy-client is not in the allowed list, verifying certificate x509: certificate signed by unknown authority

#二進(jìn)制部署：
vim /usr/lib/systemd/system/kube-apiserver.service
#kubeadm部署：
vim /etc/kubernetes/manifests/kube-apiserver.yaml
---
#新增白名單
--requestheader-allowed-names=aggregator,front-proxy-client

kubectl -n kube-system get cm extension-apiserver-authentication -o yaml|grep "requestheader-allowed-names"